Users' financial and password information were not at risk

It feels like we were due another massive online database leak, and, sure enough, there’s just been another one. On this occasion it’s wrestling fans who have been exposed, after an unprotected WWE database was discovered containing the personal information of over 3 million users.

Bob Diachenko, Chief Security Communications Officer at security firm Kromtech (the same company that discovered a database containing 560 million login credentials back in May), found the trove of data, which included home and email addresses, dates of birth, educational background, ethnicity, earnings, and even customers’ children’s age ranges and genders, all stored in plain text.

Diachenko said the data was stored on an Amazon Web Services S3 server that had no username or password protection and could be accessed by anyone who knew the web address to search.

It appears that this database comes from one of the WWE corporation’s marketing teams. The data matches that found in the account details of customers belonging to the WWE Network, the wrestling company’s subscription streaming service.

Amazingly, Diachenko found another open WWE database on Amazon Web Services; this one containing the addresses, telephone numbers, and names belonging to European fans.

"This is yet another warning to any company or service provider that handles and stores personal data. Security experts warn that not only should they audit their security processes regularly, but they should also have an incident response process in the event of a data leak and follow simple cyber hygiene rules," Diachenko told me in a message. "With the wave of ransomware attacks on companies and businesses recently, it is clear that the corporate sector is being targeted by cyber criminals."

WWE says it has since taken down the databases, which were likely misconfigured by someone at the company or one of its partners. The organization is working with AWS and security firms Smartronix and Praetorian to investigate how the database was unsecured.

"Although no credit card or password information was included, and therefore not at risk, WWE is investigating a vulnerability of a database housed on Amazon Web Services, which has now been secured," the company said.

Last month, conservative marketing and data firm Deep Root Analytics exposed political data on over 200 million Americans by not password protecting its database, which was also stored on an Amazon server.